Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1958)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/x509_certificate_nss.cc

Issue 125120: Use LOAD_VERIFY_EV_CERT to verify EV-ness in Verify().... (Closed) Base URL: svn://chrome-svn/chrome/trunk/src/
Patch Set: '' Created 11 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/base/x509_certificate_mac.cc ('k') | net/base/x509_certificate_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/x509_certificate.h" 5 #include "net/base/x509_certificate.h"
6 6
7 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 7 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424
8 // until NSS 3.12.2 comes out and we update to it. 8 // until NSS 3.12.2 comes out and we update to it.
9 #define Lock FOO_NSS_Lock 9 #define Lock FOO_NSS_Lock
10 #include <cert.h> 10 #include <cert.h>
(...skipping 353 matching lines...) Expand 10 before | Expand all | Expand 10 after
364 if (dns_names->empty()) 364 if (dns_names->empty())
365 dns_names->push_back(subject_.common_name); 365 dns_names->push_back(subject_.common_name);
366 } 366 }
367 367
368 // TODO(ukai): fix to use this method to verify certificate on SSL channel. 368 // TODO(ukai): fix to use this method to verify certificate on SSL channel.
369 // Note that it's not being used yet. We need to fix SSLClientSocketNSS to 369 // Note that it's not being used yet. We need to fix SSLClientSocketNSS to
370 // use this method to verify ssl certificate. 370 // use this method to verify ssl certificate.
371 // The problem is that we get segfault when unit tests is going to terminate 371 // The problem is that we get segfault when unit tests is going to terminate
372 // if PR_Cleanup is called in NSSInitSingleton destructor. 372 // if PR_Cleanup is called in NSSInitSingleton destructor.
373 int X509Certificate::Verify(const std::string& hostname, 373 int X509Certificate::Verify(const std::string& hostname,
374 bool rev_checking_enabled, 374 int flags,
375 CertVerifyResult* verify_result) const { 375 CertVerifyResult* verify_result) const {
376 verify_result->Reset(); 376 verify_result->Reset();
377 377
378 // Make sure that the hostname matches with the common name of the cert. 378 // Make sure that the hostname matches with the common name of the cert.
379 SECStatus status = CERT_VerifyCertName(cert_handle_, hostname.c_str()); 379 SECStatus status = CERT_VerifyCertName(cert_handle_, hostname.c_str());
380 if (status != SECSuccess) 380 if (status != SECSuccess)
381 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; 381 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
382 382
383 // Make sure that the cert is valid now. 383 // Make sure that the cert is valid now.
384 SECCertTimeValidity validity = CERT_CheckCertValidTimes( 384 SECCertTimeValidity validity = CERT_CheckCertValidTimes(
385 cert_handle_, PR_Now(), PR_TRUE); 385 cert_handle_, PR_Now(), PR_TRUE);
386 if (validity != secCertTimeValid) 386 if (validity != secCertTimeValid)
387 verify_result->cert_status |= CERT_STATUS_DATE_INVALID; 387 verify_result->cert_status |= CERT_STATUS_DATE_INVALID;
388 388
389 CERTRevocationFlags revocation_flags; 389 CERTRevocationFlags revocation_flags;
390 // TODO(ukai): Fix to use OCSP. 390 // TODO(ukai): Fix to use OCSP.
391 // OCSP mode would fail with SEC_ERROR_UNKNOWN_ISSUER. 391 // OCSP mode would fail with SEC_ERROR_UNKNOWN_ISSUER.
392 // We need to set up OCSP and install an HTTP client for NSS. 392 // We need to set up OCSP and install an HTTP client for NSS.
393 bool use_ocsp = false; 393 bool use_ocsp = false;
394 // EV requires revocation checking.
395 if (!(flags & VERIFY_REV_CHECKING_ENABLED))
396 flags &= ~VERIFY_EV_CERT;
394 397
395 // TODO(wtc): Use CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE and 398 // TODO(wtc): Use CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE and
396 // CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE for EV certificate 399 // CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE for EV certificate
397 // verification. 400 // verification.
398 PRUint64 revocation_method_flags = 401 PRUint64 revocation_method_flags =
399 CERT_REV_M_TEST_USING_THIS_METHOD | 402 CERT_REV_M_TEST_USING_THIS_METHOD |
400 CERT_REV_M_ALLOW_NETWORK_FETCHING | 403 CERT_REV_M_ALLOW_NETWORK_FETCHING |
401 CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | 404 CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE |
402 CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE | 405 CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE |
403 CERT_REV_M_STOP_TESTING_ON_FRESH_INFO; 406 CERT_REV_M_STOP_TESTING_ON_FRESH_INFO;
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after
470 (verify_result->cert_status & CERT_STATUS_DATE_INVALID) != 0) 473 (verify_result->cert_status & CERT_STATUS_DATE_INVALID) != 0)
471 err = SEC_ERROR_EXPIRED_CERTIFICATE; 474 err = SEC_ERROR_EXPIRED_CERTIFICATE;
472 verify_result->cert_status |= MapCertErrorToCertStatus(err); 475 verify_result->cert_status |= MapCertErrorToCertStatus(err);
473 return MapCertStatusToNetError(verify_result->cert_status); 476 return MapCertStatusToNetError(verify_result->cert_status);
474 } 477 }
475 478
476 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, 479 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
477 verify_result); 480 verify_result);
478 if (IsCertStatusError(verify_result->cert_status)) 481 if (IsCertStatusError(verify_result->cert_status))
479 return MapCertStatusToNetError(verify_result->cert_status); 482 return MapCertStatusToNetError(verify_result->cert_status);
483 if ((flags & VERIFY_EV_CERT) && VerifyEV())
484 verify_result->cert_status |= CERT_STATUS_IS_EV;
480 return OK; 485 return OK;
481 } 486 }
482 487
483 // TODO(port): Implement properly on Linux. 488 // TODO(port): Implement properly on Linux.
484 bool X509Certificate::IsEV(int status) const { 489 bool X509Certificate::VerifyEV() const {
485 NOTIMPLEMENTED(); 490 NOTIMPLEMENTED();
486 return false; 491 return false;
487 } 492 }
488 493
489 // static 494 // static
490 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes( 495 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
491 const char* data, int length) { 496 const char* data, int length) {
492 base::EnsureNSSInit(); 497 base::EnsureNSSInit();
493 498
494 SECItem der_cert; 499 SECItem der_cert;
(...skipping 18 matching lines...) Expand all
513 DCHECK(0 != cert->derCert.len); 518 DCHECK(0 != cert->derCert.len);
514 519
515 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, 520 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data,
516 cert->derCert.data, cert->derCert.len); 521 cert->derCert.data, cert->derCert.len);
517 DCHECK(rv == SECSuccess); 522 DCHECK(rv == SECSuccess);
518 523
519 return sha1; 524 return sha1;
520 } 525 }
521 526
522 } // namespace net 527 } // namespace net
OLDNEW
« no previous file with comments | « net/base/x509_certificate_mac.cc ('k') | net/base/x509_certificate_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698